TEHTRIS DECEPTIVE RESPONSE and its honeypots simulate fake machines and services in order to fool intruders.

Deceptive Response

TEHTRIS Deceptive Response provides an effective real-time alarm system, upstream of intrusions, providing a complementary view for the security of your systems and infrastructures. By adding false resources to your network, these sensors lure attackers and provide you with reports and event dashboards.

Unlike products that have to shuffle billions of data, with the risk of generating false alarms, the TEHTRIS Deceptive Response service will only be requested when there is an interaction with it, and usually no one is supposed to play or attack these fake machines that are not officially existing on the network for production purposes.

When a hacker targets a network fortified with TEHTRIS Deceptive Response, he will take the risk of falling on the wrong machines, the famous decoys, triggering an alarm. The hacker has no right to make a mistake, which will complicate his internal exploration sessions, and his lateral movements.

Latest Updates

  • Added new alert dashboarding features
  • Added Data Science features
  • Deployed new global cloud-based cyber surveillance infrastructure with a network of hidden honeypots in dozens of countries
  • Implementation of compatibility between TEHTRIS alerts and MITRE Att&ck rules
  • Integration of honeypots in the new console of the TEHTRIS XDR Platform



At the network levelTEHTRIS Deceptive Response can cover all VLANs in a network zone without the need to manually deploy a dummy device in each VLAN.


TEHTRIS Deceptive Response greatly simplifies the complexity of honeypots projects, in operation mode, with TEHTRIS ensuring deployment and maintenance in operational condition.


TEHTRIS Deceptive Response includes a fleet of honeypots natively integrated to the TEHTRIS XDR Platform with SOAR, CTI, Hunting, Compliance, Incident Management, etc.


TEHTRIS Deceptive Response does not modify systems in production, simply adding fake machines, without the risk of disrupting existing elements.


TEHTRIS Deceptive Response runs on appliances using the TEHTRIX distribution that are fully disk encrypted, with advanced protection mechanisms such as RBAC in the kernel and 0day protection.


The Co-Founder of TEHTRIS has been creating honeypots for over 20 years, having been invited by armies and intelligence services around the world, including studies related to counterattack or dynamic and proportional incident response.


- 99 day

to deploy

+ 1 millions

important alerts
every month

+ 999 milliard

interactions monitored worldwide annually by TEHTRIS honeypots


TEHTRIS Deceptive Response covers all network layers from Level 3 to Level 7, providing the ability for attackers to interact remotely, but with fake machines. We thus offer network level (IP+ICMP, TCP, UDP) and application level fake layers to simulate SSH access, Web, Windows services, etc.

TEHTRIS Deceptive Response is very simple to deploy, by setting-up each virtual appliance dedicated to this business, at the heart of your infrastructure. A simple boot of our installation ISO, and 4 basic answers later, you have your own honeypots that are installed in your network, knowing that the whole service is remotely operated by TEHTRIS, in SaaS mode.

A computer decoy is a system capable of making an attacker believe that he is interacting with a real machine, a real service, a real file, etc. A computer decoy is a system capable of making an attacker believe that he is interacting with a real machine, a real service, a real file, etc., in your company, while this is not true. There are many decoys, but some are obviously not very effective, or very well-known and not very annoying to hackers.

By deploying TEHTRIS Deceptive Response, you create value in many different ways. Hackers will waste time instead of attacking your real machines giving you the opportunity to be better prepared during crises. Also, they will be detected in the early stages of an attack while they are still mapping your networks. And finally, you will have the opportunity to understand their operational methodologies in order to better protect your real networks.

We offer several levels of interaction while maximizing our goal of saving time and gathering information from attackers. SOC teams are already struggling to try to follow the logs of real devices. So, without falling into the issues related to high interaction that would cost too much time for humans, far from the real production, we decided to create a tactical system, very field-oriented, combining weak interactions or beyond, to be informed during the upstream phase of an attack.

We think it’s best to deploy decoys inside the network, in very sensitive areas for example, such as your data centers, critical factories, etc. We also think it’s best to deploy decoys in the network, in very sensitive areas such as your data centers, critical factories, etc. We think it’s best to deploy decoys inside the network. We have customers who have deployed TEHTRIS Deceptive Response on network parts where there is virtually no interaction, such as a fairly closed DMZ. So, the day a hacker enters an exposed web site, he will quickly be detected by starting an in-depth exploration phase to escape that DMZ, by visiting neighboring machines. We have customers who have deployed TEHTRIS Deceptive Response on networks that are totally open to internal users, because they wanted to gain certainty about specific at-risk staff (temporary subcontractors particularly interested by crafting discovery packets). Finally, we have customers who have managed to detect attacks via external Wifi for guests, because TEHTRIS Deceptive Response was solicited in a very particular way by supposed to be friendly visitors, who could not guess an anti-spying honeypot was waiting for them on these floors.

We see absolutely every network packet that comes into the honeypots and we have the ability to quickly understand if it is a false positive or not. Indeed, many people believe in the myth of honeypots, but the reality on the ground is that these tools also generate a lot of alerts and we need to understand what is normal and what is not. We therefore monitor several services in particular, such as SSH, Windows, and the Web.

All actions are fed back into the TEHTRIS XDR Platform to which the honeypots are connected. This allows you to benefit from all the other security bricks, such as hunting, CTI, audits, etc. For example, a SOC analyst can quickly see an aggressive IP, doing an “Nmap” scan on a honeypot, and check if the internal IP address is known or go investigate with TEHTRIS EDR on it.

We have all TCP/IP interactions that are notified, as well as high interactions with specific decoys like SSH, Web or even Windows parts. For some interactions, TEHTRIS Deceptive Response users particularly appreciate being able to watch the hacker on video. For SSH, you can follow all typed commands step by step to understand the level, motivations, goals, and tools used. This gives us a rather original and unique way to track hackers.

As TEHTRIS Deceptive Response is deployed on a sensitive area, we listen to the available local flows, beyond the Unicast flows received towards us, and we build a vision of the neighboring machines, in CMDB mode. This is not the main function of TEHTRIS Deceptive Response, but it was very useful for us to know where a laptop was connected for the first time, in which factory, on which VLAN, and above all to do what.

Mitre Att&ck compliance

MITRE ATT&CK is a knowledge base with a modeling of the behavior of a cyber attacker, illustrating all phases of a cyber attack’s life cycle in relation to targeted platforms: Windows, Mac, Linux, mobile, etc.

Discover the compatibility of TEHTRIS XDR with MITRE ATT&CK

© 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.